NBN security more than just the network

Summary:Creating an open, borderless network for the ever-expanding NBN Co organisation came down to creating a highly segmented network divided across the company's different businesses, according to the company's general manager of information and security Peter Watson.

Creating an open, borderless network for the ever-expanding NBN Co organisation came down to creating a highly segmented network divided across the company's different businesses, according to the company's general manager of information and security Peter Watson.

Huawei would only be tendering for network infrastructure work; Watson, on the other hand, is responsible for the security of the entire NBN Co entity. NBN Co is segmented into three different companies, Watson told Cisco Live! on Friday: one for the National Broadband Network (NBN) itself, one for the construction company and, lastly, one for the corporate entity of NBN Co.

This meant that security and information standards across the business would be quite varied, and Watson said establishing the right framework for information and security management from the outset was critical, because the business was growing at a rapid pace as the network roll-out ramped up.

"One of the key things we've done in developing our control framework and architecting the security and architecting the information architecture is that we went through and identified what were all the standards, what were all the models we needed to use and then developed a control framework off that," he said.

"From that control framework we then identified what the requirements we needed to put in place."

Watson said that the network was able to be open through the segmentation of all business units, combined with an underlying security layer that allows Watson to keep a holistic view of security of information across the entire network.

"By creating this network services layer, it allows us to identify what are the communications on the highest level that should be occurring between those business units, and then within those business units we start breaking it down even further."

"What that has given us, is really ... by having that understanding and building the shared security services that are adapting to the business model ... that has created this borderless business level ... or open business model," he said.

Watson said he could let each of the business units within NBN Co choose how information is presented to them, whether that be on a desktop, through a thin client, via web-based services or through a portal.

"I can let them do any of that because I'm controlling at that underlying layer how the traffic flows over the network, what the security characteristics are and what information is actually being used," he said.

Ultimately, the general manager said it was important that NBN Co's security and information management framework was developed in a way that he could adapt to the business rather than the business adapting to meet his requirements.

"We wanted to minimise the impact on the business. I don't want to be the blocker to the business because the business has a lot of work and a lot of activity [that] they've got to be doing."

He also had to plan ahead for what NBN Co would need in 10 years' time when the roll-out of the NBN is closer to completion.

"The business is going to hate me and the general public is going to hate me if I came back in five years' time and said now I've got to rebuild it all again. We're continually putting pressure on our partners to ... tell us what [their] product roadmap is. Not just for the next three months, six months, 12 months, two years. We want to know what's coming down the track so we can start architecting and building out for it so we don't do the rework."

Watson said that he can't go back to the CTO and ask for an upgrade to security functionality; his chance to get it bedded down right was when the massive network was first being designed.

"When it was first designing the network, that was my opportunity where I was shoving [in] a lot of the security. The second release of the network, I shoved a lot more security in. As the network gets bigger as with every large enterprise, it gets a lot harder to create massive change."